Posted
by
CmdrTaco
on Thursday January 20, 2011 @10:54AM
from the i-heard-that dept.

Blacklaw writes "A team of security researchers has created a proof-of-concept Trojan for Android handsets that is capable of listening out for credit card numbers — typed or spoken — and relaying them back to the application's creator. Once installed, Soundminder sits in the background and waits for a call to be placed — hence the access to the 'Phone calls' category. When triggered by a call, the application listens out for the user entering credit card information or a PIN and silently records the information, performing the necessary analysis to turn it from a sound recording into a number."

I'm thinking this through and thinking of my android-based device. For anything to gain access like this wouldn't the user need to be root?
Or can the app simply request permission?
(Disclaimer: I'm root and have cyanogen on my phone.)

The article says the application requests the following permissions:

Read Phone State and Identity: Used to know when your phone is calling

There's an additional app that requests Network Capabilities; it's used to relay the data. Since the original application doesn't request those capabilities, it's less obvious (although now a second application has to be installed).

Basically, the application masquerades as an overly-permissive "voice recorder". It registers to receive notifications when the "phone state" changes, and when you place a call it starts recording. It processes the audio and pulls out voice and touch-tone number sounds. It then passes that information to the "Deliverer" application, which forwards it to the bad guy. Two applications written by the same developer can share data, so they probably use that channel.

The scenario is that a user will install the recorder app because they want a voice recorder, and will install the "Deliverer" app for some unrelated reason. Neither app's permissions set off any warning bells, but, together, they can steal your data.

So no, no rooting necessary. Goes to underline the general idea - given any security fence and enough time to understand it, someone will find a way around it. It's not particularly creative or innovative - just one of those proofs-of-concept of the obvious that will get media attention. Android's permissions are a nice heads-up to the user, but you really need to know and trust the publisher before you give any of the more deadly set of permissions (e.g., hardware controls, network communication) to an app.

"That $50 liability limit also applies to ATM and debit cards, though holders of these cards might be liable for up to $500 if they fail to report the card's disappearance within two business days after they learn of the loss or theft of the card. (Debit and ATM card owners can be held responsible for all losses if they fail to report the theft within 60 days of when a bank statement showing unauthorized charges is mailed.) " -- http://www.scambusters.org/creditcard3.html [scambusters.org]